DAOD 6003-2, Information Technology Security Risk Management
Table of Contents
Date of Issue: 2014-01-14
Application: This DAOD is a directive that applies to employees of the Department of National Defence (DND employees) and an order that applies to officers and non-commissioned members of the Canadian Forces (CF members).
Approval Authority: Assistant Deputy Minister (Information Management) (ADM(IM))
Enquiries: Director Information Management Security (DIM Secur)
- authorization (autorisation)
- The ongoing process of obtaining and maintaining official management decision by a senior organizational official to authorize operation of an information system and to explicitly accept the risk of relying on the information system to support a set of business activities based on the implementation of an agreed-upon set of security controls, and the results of continuous security assessment. (IT Security Risk Management: A Lifecycle Approach (ITSG-33), Communications Security Establishment Canada)
- information technology operational personnel (personnel opérationnel des technologies de l’information)
- Persons who work as network or system administrators or managers, account managers or help desk personnel, or provide other information technology support. (Defence Terminology Bank record number 47901)
- information technology security control (contrôle de sécurité des technologies de l’information)
- A management, operational, or technical high-level security requirement prescribed for an information system to protect the confidentiality, integrity, and availability of its IT assets. Security controls are implemented using various types of security solutions that include security products, security policies, security practices, and security procedures. (IT Security Risk Management: A Lifecycle Approach (ITSG-33), Communications Security Establishment Canada)
- information technology security control profile (profil de contrôle de sécurité des technologies de l’information)
- A set of security controls that are the minimum requirements for an information technology security function or information system.
Note – A profile must satisfy business needs and Treasury Board baseline security controls with due consideration for the technical context and the threat. (Defence Terminology Bank record number 47575)
- information technology security practitioner (praticien de la sécurité des technologies de l’information)
- A person who performs an engineering, implementation, maintenance or other information technology security function to protect the confidentiality, integrity and availability of information technology systems and assets. (Defence Terminology Bank record number 47902)
- operational authority (autorité opérationnelle)
- The person who has the authority to define requirements and operating principles, set standards and accept risk within their area of responsibility. (Defence Terminology Bank record number 43435)
- risk management (gestion du risque)
- A systematic approach to setting the best course of action under uncertainty by identifying, assessing, understanding, making decisions on and communicating risk issues. (Framework for the Management of Risk, Treasury Board)
- security authority (autorité de sécurité)
- The person who has the authority to identify risk, provide advice and security standards for endorsement by the operational authority and technical authority, and monitor compliance within their area of responsibility. (Defence Terminology Bank record number 43436)
- security risk management (gestion du risque de sécurité)
- A component of an overall risk management process involving the organization and coordination of activities and processes for controlling security risk. (Operational Security Standard: Management of Information Technology Security (MITS), Treasury Board)
- technical authority (autorité technique)
- The person who has the authority to set technical specifications and standards, manage configurations, provide technical advice and monitor compliance within their area of responsibility. (Defence Terminology Bank record number 43437)
3.1 The Treasury Board Framework for the Management of Risk establishes that departments and agencies must ensure the integration of risk management into the activities of their organizations.
3.2 The Treasury Board Operational Security Standard: Management of Information Technology Security (MITS) provides that departments must continuously manage the security risks to information and information technology (IT) assets throughout the life cycle of their programmes and services.
3.3 IT security risks result from the exposure of IT systems and IT assets to the compromise of their confidentiality, integrity, availability, intended use and asset value by accidental or deliberate threats and natural hazards. IT security risk management is the process used to manage these risks.
3.4 IT security risk management is one of several components of the IT Security Programme and the Departmental Security Program that the DND and the CF need to perform as a routine part of their ongoing business and operations. IT security risk management is a key process in the delivery of secure and reliable IT services that support the mission and mandate of the DND and the CF.
3.5 This DAOD is part of the DND and CF IM and IT Policy Framework and should be read in conjunction with other relevant ADM(IM) policies, instructions, directives, standards and guidance.
3.6 The objectives of this DAOD are to:
- establish IT security risk management for programmes, systems and services;
- establish IT security risk management as an important business enabler within the decision-making process; and
- identify responsibilities for:
- the identification, management, documentation and monitoring of IT security risks; and
- providing direction and guidance on IT security risk management practices.
3.7 The expected results of this DAOD are:
- increased efficiency and transparency of IT security risk management processes;
- improved security risk management of IT systems and IT assets throughout the entire life cycle of the systems and assets;
- increased awareness and accountability for IT security risk decisions; and
- improved consistency in IT security risk management.
4. Risk Management
4.1 IT security risk management is a multifaceted undertaking that requires the involvement of DND employees and CF members to establish DND and CF objectives, define IT security requirements, develop IT security controls and operate secure IT systems that support DND business and CF operations.
4.2 The DND and CF IT security risk management processes and activities have replaced the certification and accreditation (C&A) process with the assessment and authorization (A&A) process for IT-enabled projects and IT systems.
4.3 The DND and CF IT security risk management processes and activities:
- align with the processes and activities described in the Information Technology Security Risk Management: A Lifecycle Approach (ITSG-33) of the Communications Security Establishment Canada, as well as integrate into all IT-enabled projects, IT systems and IT assets throughout the development life cycle; and
- ensure that key steps are performed on a continual basis throughout the life cycle of IT systems and IT assets, and ensure IT security risk management is applied from a DND and CF perspective.
4.4 IT security risk management enables the:
- IT security authority (SA) to identify the IT security risks associated with IT assets; and
- operational authority (OA) to make decisions on risk issues within their delegated area of responsibility.
4.5 Within the DND and the CF, IT security risk management is conducted by DIM Secur, as the DND and the CF IT SA, with the support of the applicable IT system technical authority (TA) to:
- assess IT system security requirements;
- select and implement IT system security control profiles;
- monitor and assess IT security controls; and
- identify any required IT security control updates.
Definition of IT Security Risk Management Requirements
4.6 Managers at all levels must define their IT security risk management requirements to ensure that their IT systems and IT assets are appropriately protected from compromise.
Selection and Deployment of IT Security Control Profiles
4.7 The SA selects the appropriate IT security control profile that meets the requirements of the target IT system or IT asset. The OA, project manager or programme and service delivery manager must then consult DIM Secur to adjust specific IT security controls to meet the IT security requirements of the IT system or IT asset. The OA, project manager or programme and service delivery manager must subsequently implement the customized IT security control profile onto their IT system or IT asset.
Monitoring and Assessment of IT Security Controls
4.8 The SA, IT security practitioners and IT operational personnel must continually monitor and assess the performance of the implemented IT security controls in IT systems and IT assets, through the collection, consolidation and continual analysis of IT security control performance metrics. Monitoring IT security controls ensures that the selected IT security controls remain relevant and appropriate for the constantly changing threat environment.
4.9 The SA, IT security practitioners and IT operational personnel must ensure that the OA, project manager or programme and service delivery manager, as applicable, is informed of any changes in the previously accepted risk level.
Identification of IT Security Control Updates
4.10 Based on the IT security control performance analysis, the OA may need to update the implemented IT security controls. The OA, in consultation with the SA and TA, may direct that the IT security controls be re-evaluated and adjusted until an acceptable level of residual risk is reached. The OA subsequently accepts the residual risk and the updated IT security controls are then implemented. Changes in any of the following could initiate an IT security control update:
- business or mission objectives;
- information sensitivity;
- IT security requirements;
- threat assessments or threat agents; and
- IT system or IT asset performance.
Theatre of Operations IT Security Risks
4.11 The nature of threats in a theatre of operations can differ greatly from the somewhat static perspective of a system-specific view. Although commanders have discretion in managing operational and tactical risks, the acceptance of significant IT security risks on the basis of operational efficiency must be weighed against the impacts to the confidentiality, integrity and availability of the information on IT systems. When a decision is made to accept a particular risk that affects the security of an IT system, the commander must report the factors leading to the acceptance of that risk to DIM Secur.
4.12 B-GJ-005-502/FP-000, Risk Management for CF Operations, provides instruction on the decision-making process to assist commanders and their staffs in identifying, analyzing, evaluating and controlling all types of risk.
Consequences of Non-Compliance
5.1 Non-compliance with this DAOD may have consequences for both the DND and the CF as institutions, and for DND employees and CF members as individuals. Suspected non-compliance will be investigated. The nature and severity of the consequences resulting from actual
non-compliance will be commensurate with the circumstances of the non-compliance.
Note – In respect of the compliance of DND employees, see the Treasury Board Framework for the Management of Compliance for additional information.
6.1 The following table identifies the responsibilities associated with this DAOD:
|The …||is or are responsible for …|
DIM Secur (as the SA)
Commander, Canadian Forces Information Operations Group
IT security practitioners
IT operational personnel
programme and service delivery managers
DND employees and CF members
Acts, Regulations, Central Agency Policies and Policy DAOD
- Criminal Code
- Financial Administration Act
- National Defence Act
- Privacy Act
- Framework for the Management of Compliance, Treasury Board
- Framework for the Management of Risk, Treasury Board
- Policy on Information Management, Treasury Board
- Policy on Management of Information Technology, Treasury Board
- Policy on Privacy Protection, Treasury Board
- Directive on Departmental Security Management, Treasury Board
- Directive on Recordkeeping, Treasury Board
- Operational Security Standard: Management of Information Technology Security (MITS), Treasury Board
- DAOD 6003-0, Information Technology Security
- DAOD 1002-0, Personal Information
- DAOD 1003-1, Business Continuity Planning Program
- DAOD 6001-1, Recordkeeping
- DAOD 6002-1, Management of Information Technology
- DAOD 6002-8, Electronic Authentication and Authorization
- DAOD 6002-9, Information Technology Asset Management
- DAOD 6002-10, Management of Information Technology Projects
- DAOD 6003-1, Information Technology Security Programme
- National Defence Security Policy
- National Defence Security Instructions
- DND and CF IM and IT Policy Framework
- IT Security Risk Management: A Lifecycle Approach (ITSG-33), Communications Security Establishment Canada
- B-GJ-005-502/FP-000, Risk Management for Canadian Forces Operations